Renewing client and server certificates
Learn how to renew IBM Storage Scale client and server certificates.
During encryption, the GPFS daemon acts as a key client and requests master encryption keys (MEKs) from a Remote Key Management (RKM) server. The supported RKM servers are IBM® Security Key Lifecycle Manager (SKLM) and Thales Vormetric Data Security Manager (DSM).
When a digital client or server certificate expires, the IBM Storage Scale client cannot access encrypted files, because it can no longer retrieve MEKs from the RKM server. The following topics describe how to recognize certificate expiration errors and how to renew client and server certificates.
MEKs do not expire unless they are explicitly removed from a key server.
The following table shows the default lifetimes of client and server certificates:
| Item | Type of certificate | Default lifetime |
|---|---|---|
| IBM Storage Scale | Client | 3 years1 |
| IBM Security Key Lifecycle Manager (SKLM) | Server | 3 years |
| Thales Vormetric Data Security Manager (DSM) | Server | 10 years |
| 1You can create an IBM Storage Scale client certificate with a shorter or longer lifetime by issuing the mmkeyserv client create command with the --days option. | ||